From owner-freebsd-security  Wed Jun 26 17: 7:12 2002
Delivered-To: freebsd-security@freebsd.org
Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66])
	by hub.freebsd.org (Postfix) with SMTP id 1A92337BCF0
	for <freebsd-security@freebsd.org>; Wed, 26 Jun 2002 16:15:00 -0700 (PDT)
Received: (qmail 58293 invoked by uid 3338); 26 Jun 2002 21:28:14 -0000
Date: Wed, 26 Jun 2002 17:28:14 -0400
From: Travis Cole <kelp@plek.org>
To: freebsd-security@freebsd.org
Subject: Re: Wow
Message-ID: <20020626212812.GA55744@ainaz.pair.com>
References: <20020626121754.F8071@mail.seattleFenix.net> <200206261919.g5QJJLLI018466@cvs.openbsd.org> <20020626202057.GA7152@zot.electricrain.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020626202057.GA7152@zot.electricrain.com>
User-Agent: Mutt/1.3.25i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Jun 26, 2002 at 01:20:57PM -0700, Chris Doherty wrote:
> At some point, Theo de Raadt said:
> > I've barely slept in a week.
> 
> for myself with my one machine, I'm just annoyed. if I had gone through
> this bullshit on 40 machines, when I could have just modified a config
> file, I'd be pissed, and rightfully so.
>
> but, *shrug*. I'll not give such credence to vague warnings in the
> future--lesson learned.

Well, the fact is they just released 5600 lines of fixes and such
for OpenSSH.

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1-vs-openbsd.diff.gz
  
Thats a big patch.

And Theo has said there are probably other holes in there.  I think I
trust him on that.

I've watched the OpenBSD and OpenSSH projects for a long time, and because of
that I have some idea how things operate.

They often fix issues that may or may have lead to a working exploit.

They fix bugs.  Bugs can cause security holes.

OpenSSH 3.4 has a *LOT* of bug fixes.

And the PrivSep does reduce the chances of any still existing
bugs causing real security issues.

http://www.citi.umich.edu/u/provos/ssh/privsep.html

Its a good idea to upgrade to 3.4.  I've got 300 boxes that will
be upgraded soon.

Most of them are running pre-3.0 SSH versions.

I'm upgrading anyway.

-- 
-tcole

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message